Content
Best practices for fighting phishing attacks
Just when you thought it was safe to slip into today’s e-commerce waters, phishing has arisen as one of the world’s most dangerous scams.
Phishing entails the distribution of e-mail messages with return addresses, links, and graphic art that make the e-mails appear to be legitimate, as if deployed by financial institutions to their clients.
Unfortunately, the entire goal of these e-mails is to trick unsuspecting recipients into divulging personal account, credit card, and other confidential information. Once a consumer has shared this information, phishers are free to commit identity theft and perform fraudulent transactions using the stolen information.
Phishers also steal proprietary information from customers by tricking them into visiting a phishing Web site, as well as by installing spyware on a customer’s computer so that information can be stolen when an individual visits a legitimate site.
An equal-opportunity offender
These days, no one is safe from scammers’ ill intentions. Customers of corporate powerhouses, financial institutions, insurance agents, as well as credit and loan organizations, have all fallen victim to phishing expeditions.
Phishers target well-known organizations because most emails are distributed randomly. Established organizations typically boast more customers, thereby increasing the chances that a fraudulent email will be received by a customer of the targeted organization.
In fact, fraudulent e-mails purporting to be from The Federal Deposit Insurance Corp. and the American Bankers Association have penetrated in-boxes around the world. Even the FBI can count itself a phishing casualty.
The phishing threat shows no signs of slowing down. As reported by the Anti-Phishing Working Group, an industry association that fights identity theft and fraud, 176 unique new phishing attacks were reported in January 2004, amounting to 5.7 new attacks per day. By June 2004, that number had skyrocketed to a reported 1,422 unique phishing attacks.
Analysts estimate that up to 5 percent of fraudulent e-mail requests actually succeed in obtaining a recipient’s confidential data. But consumers aren’t the only ones to be inconvenienced by a phishing threat. One top-20 U.S. bank recently fielded up to 90,000 phone calls per hour after a phishing attack in February paralyzed the bank for five hours.
What’s more, companies that fall victim to phishing attacks risk losing the trust of their online customers. For example, if a bank becomes the target of a scammer, its customers are much more likely to shy away from performing online banking transactions.
Don’t take the bait
These days, phishers are resorting to increasingly sophisticated tactics, such as using pop-up windows and fake padlock symbols to fool unwitting visitors. There are ways, however, to avoid becoming phishing bait. McAfee recommends that companies create – and frequently communicate – corporate security policies for e-mail content so that legitimate e-mail cannot be confused with phishing.
One such policy is that a company never asks its customers to fill out any forms embedded in email. This way, if a customer receives an e-mail containing a form, the message can be immediately identified as a phishing attack.
Next, companies should always provide a way for consumers to validate that an e-mail message is legitimate and not from a phisher. To accomplish this, companies should establish a policy for embedding authentication information into every e-mail that it sends to its customers.
For example, some companies ask their customers to select a personalized graphic to be embedded into an email, thereby making it more difficult for phishers to simulate corporate e-mail messages.
Companies should avoid embedding clickable links in HTML-coded email. And because phishers rely on extracting passwords, businesses should also avoid asking their customers to enter sensitive information when logging onto a Web site. In fact, smart cards and other authentication tokens serve as far more sophisticated authentication methods than passwords and social security numbers.
Customers would also be wise to set their Web browser security to the highest level possible and to configure their browsers to display http warnings so that they know whether or not they are visiting a secure site.
Phishers can be stopped in their tracks if companies actively monitor the Internet for potential phishing Web sites, which often appear before the launch of the phishing e-mails.
And finally, it’s always wise for businesses to implement high-quality secure content management solutions – tools that companies often offer their customers as business services. For example, McAfee offers anti-spam solutions that can identify phish at the gateway, anti-virus desktop solutions that catch key loggers, and intrusion protection tools for Web site hosting. By installing this type of protection, you can be sure that all of your in-and outbound messaging traffic is secure before any unwanted content can infect your network, or affect your users.
